Protecting your password

Protecting your account username and passphrase is fundamental to good security practices. This is especially true of your CalNet credentials, which provide access to a wide array of online services for students, faculty and staff.

Learn about the risks of stolen account credentials, how credentials are commonly stolen, and what you can do to protect your account information:

The Phish Tank - recent real-world examples of phishing messages received on campus

Responding to security notifications

As a student, faculty or staff-member, you may at some point receive a security notice from the Information Security & Policy team (ISP). Security notifications are sent via email and are generated by network security tools that search the campus network for systems compromised by hackers and computing devices with known security weaknesses. Notifications may also be initiated by outside reports of security problems.

If you receive a security notification, it will likely be related to one of the following issues:

A known vulnerability has been detected on your device (e.g., the device is running an unsupported operating system)

The device has potentially been compromised (e.g., the device has been infected with malware)

Your CalNet credentials have been exposed and must be reset

What should I do?

Read the notification message carefully and follow instructions for resetting your CalNet passphrase immediately, if required. Follow these steps if there is any indication that the system has been compromised:

Remove the computer from the network (e.g., disable wifi access to Airbears) to prevent the malware from spreading

Contact your IT service provider to assist with removing the malware and cleaning the system

Software Patching

The computing devices we use, whether campus-issued or self-owned, are the gateway between data that needs to be protected and the Internet at large. Keeping these devices patched is the most important defence against cyber attacks.

Why Patch?

New vulnerabilites in operating system and application software are discovered every day. By not applying patches, you might be leaving the door open for exploits of these vulnerabilities that can lead to the exposure of your personal information (e.g., Calnet ID, credit card info, etc.) or sensitive campus data.

Vulnerabilities in web browsers and email programs can allow malicious websites to infect or compromise your computing device with little or no action on your part other than clicking a link.

How to Patch

Some campus units subscribe to the campus-wide Berkeley Desktop standard, which automatically keeps desktop software up to date.

For students and staff who personally manage their computers, or who use personal BYOD computers or mobile devices, following are a list of security patch resources.

Information resources for keeping your computer operating system up to date:

Operating System

Resources

Microsoft Windows

Learn how to keep your PC current with automatic updates (includes instructions for supported versions of Windows O/S):

Note:If your PC is connected to a network where updates are managed by Group Policy, you might be unable to change settings related to Windows Update. Contact your IT support staff for more information.

Apple MacOS

Some critical security updates for your Mac are released as automatic updates. Your Mac checks for these updates daily, and when an automatic security update is available, it installs automatically and displays a notification.

Make sure the following options are selected in the System Preferences for the App Store:

Anti-Malware

What is "Malware"?

Malware is short for "malicious software" and describes programs designed to disrupt computer operations, gather sensitive information, or gain unauthorized access to a system. The impact of malware can range from minor system performance issues to deletion of data or even full, remote control access by an attacker.

Anti-malware

Anti-malware utilities are a standard and necessary layer of protection for networked systems, designed to detect and block malicious programming on individual computers.

System Center Endpoint Protection (SCEP) is an anti-malware product available free of charge to campus students, staff and faculty. Please visit the Software Central site for instructions on how to obtain SCEP:

Ensure that the anti-malware software receives regular signature updates. These updates contain information about new viruses and are often delivered mutiple times a week.

In order to detect malware before they are able to infect a system, enable real-time scanning. Real-time scanning will analyze files and programs as they are copied to a system in order to prevent the user from unknowingly becoming infected.

Mobile Computing

Considering how much we rely on our mobile devices, and how susceptible they are to attack, you'll want to make sure your smartphone is protected:

Understand app permissions before accepting them - be cautious about granting apps access to personal information

Accept updates and patches to your smartphone's software

Be smart on open Wi-Fi networks - your phone can be an easy target to cybercrimals on a public Wi-Fi network

For faculty and staff, at the most basic level of information security, knowing what kind of data we handle and the security protections required by campus policy for that data is key.

Know what you have

Data Classification

Understanding the classification level for the campus data you handle is fundamental to knowing what security protections are required by university policy. (Campus data is information relating to university activities or operations. It does not include an individual's personal information).

Data classification is determined by the potential adverse business impact to the campus due to the unauthorized exposure of restricted information.

Business Impact

Considerations for evaluating adverse business impact to the campus include the following:

Loss of critical campus operations

Negative financial impact

Damage to the reputation of the campus

Potential for regulatory or legal action

Violation of campus mission, policy, or principles

Protection Levels

The level of impact to the campus is designated by four (4) "Protection Level" classifications:

Protection Level 0 indicates "limited" or "no" adverse impact and is generally information intended for public access, such as public directory information, public websites, course listings and pre-requisites.

Protection Level 1 is assigned to data with a "moderate" adverse impact to the campus. This level includes student records, staff and academic personnel records, licensed software, and paid subscription electronic resources.

Protection Level 2 data has a "high" adverse impact to campus business and is defined by a statutory requirement to notify affected parties in the event of a breach. Examples include:

Social security number

Driver's license number

Financial account or credit card numbers

Personal medical information

Personal health insurance information

Protection Level 3 is reserved for data that creates extensive "shared-fate" risk between multiple sensitive systems, e.g., enterprise credential stores, backup data systems, and central system management consoles. This scenario would be deemed to have an "extreme" adverse impact.

Protection Profile Requirements

Data classifications align with campus policy "protection profile requirements", a list of security controls that are required for each protection level. The "protection profile" is also determined by the type of device and its use, as well as the protection level.

Device/Use Categories

The purpose or "use" of a computing device, together with the classification or "protection level" of the data that is processed or stored on the device, determines the set of security control requirements for the system.

There are three (3) Device/Use catagories:

Privileged Access Device - Any device where credentials are used to provide privileged access (e.g., super user or administrator) to an institutional device that is utilized for protected data.

Individual Device - Devices that process, store or transmit protected data that cannot be classified as either institutional or privileged access.

By default, all employee workstations (including laptops, tablets and smart phones) issued by the university are categorized, at a minimum, as Individual Protection Level 1 devices.

Baseline Data Protection Profiles

The MSSEI defines the baseline data protection profiles that determines system security control requirements. Each baseline profile is a minimum set of required security controls that correspond to the data classification protection level, the type of device, and the purpose or use of the device.

MSSEI Control Requirements

The MSSEI policy is comprised of 34 requirements in 17 catagories. The policy is derived from industry-accepted best practices for cyber defense, such as the SANS 20 Critical Security Controls. The requirements range from physical security, secure device configuration, vulnerability scanning, account monitoring and management, security training, and much, much more.

Campus units are responsible for ensuring that the security requirements for the systems and devices used for handling campus protected data within the unit meet MSSEI requirements. This can be accomplished by the following practices:

Gather feedback and recommendations for meeting control requirements by engaging the MSSEI Assessment Service with the Information Security & Policy team (for PL2 systems only).

Notify service providers (both internal campus resources and 3rd-party vendors) of the protection level assigned to the data and systems that they support, so that they clearly understand the MSSEI security requirements.

For more information

The MSSEI Baseline Data Protection Profile Summary provides links to each of the control requirements, including basic information and some examples. Separate guidelines are available for each of the control requirements, containing more detailed information and suggested recommendations.

Delete what you don't need

The first requirement listed in MSSEI is "1.1 Removal of non-required covered data" and it applies to all PL1 and PL2 devices (individual workstations and laptops, as well as institutional servers). The logic here is simple: By deleting the sensitive data that is no longer needed, we reduce the risk of that data being inadvertently exposed or compromised.

Requirement 1.1 specifies a "review of devices and storage media to identify and securely remove or destroy covered data that is no longer required for business purposes" at least once annually. A more frequent review process that removes data as it is no longer needed is preferable, if possible.

Secure Deletion Tools

Dragging files to the desktop Trash, and then "emptying" the Trash, does not actually delete the data stored on the disk. The markers that point to the location of the file on the disk drive are removed, but the data is still there until it is over-written by new data. Because of this, special care is required for decommissioning disk devices that store sensitive data, and for deleting sensitive files from a workstation or mobile device.